google_spider

This plugin finds new URLs using google. It will search for "site:domain.com" and do GET requests all the URLs found in the result. One configurable parameter exists: resultlimit Plugin type Crawl Options Name | Type | Default Value | Description | Help ---|---|---|---|--- resultlimit | integer |...

get_emails

This plugin greps every page for emails, these can be used in other places, like bruteforce plugins, and are of great value when doing a complete information security assessment. Plugin type Grep Options Name | Type | Default Value | Description | Help ---|---|---|---|--- onlytargetdomain | boole...

domain_dot

This plugin finds misconfigurations in the virtual host settings by sending a specially crafted request with a trailing dot in the domain name. For example, if the input for this plugin is http://host.tld/ , the plugin will perform a request to http://host.tld./ . In some misconfigurations, the...

content_negotiation

This plugin uses HTTP content negotiation to find new resources. The plugin has three distinctive phases: Identify if the web server has content negotiation enabled. For every resource found by any other plugin, perform a request to find new related resources. For example, if another plugin finds...

dot_net_event_validation

ASP.NET implements a method to verify that every postback comes from the corresponding control, which is called EventValidation. In some cases the developers disable this kind of verifications by adding EnableEventValidation="false" to the .aspx file header, or in the web.config or system.config...

email_report

This plugin sends short report only vulnerabilities by email to specified addresses. There are some configurable parameters: smtpServer smtpPort toAddrs fromAddr Plugin type Output Options Name | Type | Default Value | Description | Help ---|---|---|---|--- smtpServer | string | localhost | SMTP...

file_upload

This plugin will try to expoit insecure file upload forms. One configurable parameter exists: extensions The extensions parameter is a comma separated list of extensions that this plugin will try to upload. Many web applications verify the extension of the file being uploaded, if special extensio...

dot_listing

This plugin searches for the .listing file in all the directories and subdirectories that are sent as input and if found it will try to discover new URLs from its content. The .listing file holds information about the list of files in the current directory. These files are created when download...

finger_pks

This plugin finds mail addresses in PGP PKS servers. Plugin type Infrastructure Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly whats under the hood: Plugin...

finger_google

This plugin finds mail addresses in google. Two configurable parameters exist: resultlimit fastsearch If fastsearch is set to False, this plugin searches google for : "@domain.com", requests all search results and parses them in order to find new mail addresses. If the fastsearch configuration...

rfi

This plugin finds remote file inclusion vulnerabilities. Three configurable parameters exist: listenaddress listenport usew3afsite There are two ways of running this plugin, the most common one is to use w3afs site w3af.sf.net as the URL to include. This is convenient and requires zero...

pykto

This plugin is a nikto port to python. It uses the scandatabase file from nikto to search for new and vulnerable URLs. The following configurable parameters exist: cgidirs admindirs nukedirs extradbfile mutatetests This plugin reads every line in the scandatabase and extradbfile and based on the...

phpinfo

This plugin searches for the PHP Info file in all the directories and subdirectories that are sent as input and if it finds it will try to determine the version of the PHP. The PHP Info file holds information about the PHP and the system version, environment, modules, extensions, compilation...

console

This plugin writes the framework messages to the console. One configurable parameter exists: verbose Plugin type Output Options Name | Type | Default Value | Description | Help ---|---|---|---|--- verbose | boolean | False | Enables verbose output for the console | No detailed help available Sour...

directory_indexing

This plugin greps every response directory indexing problems. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly whats under the hood: Plugin sour...

url_session

This plugin finds URLs which contain a parameter that stores the session ID. This configuration leaves the session id exposed in browser and server logs, and is also leaked through the HTTP referrer header. Plugin type Grep Options This plugin doesnt have any user configured options. Source For...

wsdl_greper

This plugin greps every page for WSDL definitions. Not all wsdls are found appending "?WSDL" to the url like crawl.wsdlfinder plugin does, this grep plugin will find some wsdls that arent found by the crawl plugin. Plugin type Grep Options This plugin doesnt have any user configured options. Sour...

halberd

This plugin tries to find if an HTTP Load balancer is present. Plugin type Infrastructure Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly whats under the hood:...

blank_body

This plugin finds HTTP responses with a blank body, these responses may indicate errors or misconfigurations in the web application or the web server. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated...

wordpress_fullpathdisclosure

This plugin try to find the path in the server where WordPress is installed. Plugin type Crawl Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly whats under the...

frontpage_version

This plugin searches for the FrontPage Server Info file and if it finds it will try to determine the version of the Frontpage Server Extensions. The file is located inside the web server webroot. For example: http://localhost/vtiinf.html Plugin type Infrastructure Options This plugin doesnt have...

cache_control

This plugin analyzes every HTTPS response and reports instances of incorrect cache control which might lead the users browser to cache sensitive contents on their system. The expected headers for HTTPS responses are: Pragma: No-cache Cache-control: No-store Plugin type Grep Options This plugin...

finger_bing

This plugin finds mail addresses in Bing search engine. One configurable parameter exist: resultlimit This plugin searches Bing for : "@domain.com", requests all search results and parses them in order to find new mail addresses. Plugin type Infrastructure Options Name | Type | Default Value |...

password_profiling

This plugin creates a list of possible passwords by reading responses and counting the most common words. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understa...

global_redirect

This plugin finds global redirection vulnerabilities. This kind of bugs are used for phishing and other identity theft attacks. A common example of a global redirection would be a script that takes a "url" parameter and when requesting this page, a HTTP 302 message with the location header to the...

os_commanding

This plugin will find OS commanding vulnerabilities. The detection is performed using two different techniques: Time delays Writing a known file to the HTML output With time delays, the plugin sends specially crafted requests that, if the vulnerability is present, will delay the response for 5...

html_file

This plugin writes the framework messages to an HTML report file. Two configurable parameters exist: outputfile verbose If you want to write every HTTP request/response to a text file, you should use the textfile plugin. Plugin type Output Options Name | Type | Default Value | Description | Help...

symfony

This plugin greps every page for traces of the Symfony framework and the lack of CSRF protection. Plugin type Grep Options Name | Type | Default Value | Description | Help ---|---|---|---|--- override | boolean | False | Skip symfony detection and search for the csrf misprotection. | No detailed...

strange_reason

Analyze HTTP response reason messages sent by the remote web application and report uncommon findings. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand...

xssed_dot_com

This plugin searches the xssed.com database and parses the result. The information stored in that database is useful to know about previous XSS vulnerabilities in the target website. Plugin type Infrastructure Options This plugin doesnt have any user configured options. Source For more informatio...

buffer_overflow

This plugin finds buffer overflow vulnerabilities. Users have to know that detecting a buffer overflow vulnerability will be only possible if the server is configured to return errors, and the application is developed in cgi-c or some other language that allows the programmer to do their own memo...

archive_dot_org

This plugin does a search in archive.org and parses the results. It then uses the results to find new URLs in the target site. This plugin is a time machine ! Plugin type Crawl Options Name | Type | Default Value | Description | Help ---|---|---|---|--- maxdepth | integer | 3 | Maximum recursion...

phishing_vector

This plugins finds phishing vectors in web applications, for example, a bug of this type is found if I request the URL "http://site.tld/asd.asp?info=http://attacker.tld" and in the response HTML the web application sends: … iframe src="http://attacker.tld" …. Plugin type Audit Options This plugin...

ldapi

This plugin will find LDAP injections by sending a specially crafted string to every parameter and analyzing the response for LDAP errors. Plugin type Audit Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres...

form_autocomplete

This plugin greps every page for autocomplete-able forms containing password-type inputs. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly whats...

wordpress_fingerprint

This plugin finds the version of a WordPress installation by fingerprinting it. It first checks whether or not the version is in the index header and then it checks for the "real version" through the existance of files that are only present in specific versions. Plugin type Crawl Options This...

code_disclosure

This plugin greps every page in order to find code disclosures. Basically it greps for ?.? and %.% using the re module and reports findings. Code disclosures are usually generated due to web server misconfigurations, or wierd web application "features". Plugin type Grep Options This plugin doesnt...

sqli

This plugin finds SQL injections. To find this vulnerabilities the plugin sends the string dz"0 to every injection point, and searches for SQL errors in the response body. Plugin type Audit Options This plugin doesnt have any user configured options. Source For more information about this plugin...

server_header

This plugin GETs the server header and saves the result to the knowledge base. Nothing strange, just do a GET request to the url and save the server headers to the kb. A smarter way to check the server type is with the hmap plugin. Plugin type Infrastructure Options This plugin doesnt have any us...

spider_man

This plugin is a local proxy that can be used to give the framework knowledge about the web application when it has a lot of client side code like Flash or Java applets. Whenever a w3af needs to test an application with flash or javascript, the user should enable this plugin and use a web browser...

click_jacking

This plugin greps every page for X-Frame-Options header and so for possible ClickJacking attack against URL. Additional information: https://www.owasp.org/index.php/Clickjacking Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this...

strange_headers

This plugin greps all headers for non-common headers. This could be useful to identify special modules and features added to the server. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres...

cors_origin

Inspect if application check that the value of the "Origin" HTTP header is consistent with the value of the remote IP address/Host of the sender of the incoming HTTP request. Configurable parameters are: originheadervalue Note : This plugin is useful to test "Cross Origin Resource Sharing CORS"...

mx_injection

This plugin will find MX injections. This kind of web application errors are mostly seen in webmail software. The tests are simple, for every injectable parameter a string with special meaning in the mail server is sent, and if in the response I find a mail server error, a vulnerability was found...

ssn

This plugins scans every response page to find the strings that are likely to be the US social security numbers. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to...

import_results

This plugin serves as an entry point for the results of other tools that identify URLs. The plugin reads from different input files and directories and creates the fuzzable requests which are needed by the audit plugins. Two configurable parameter exist: inputcsv inputburp One or more of these ne...

feeds

This plugin greps every page and finds rss, atom, opml feeds on them. This may be usefull for determining the feed generator and with that, the framework being used. Also this will be helpful for testing feed injection. Plugin type Grep Options This plugin doesnt have any user configured options...

sitemap_xml

This plugin searches for the sitemap.xml file, and parses it. The sitemap.xml file is used by the site administrator to give the Google crawler more information about the site. By parsing this file, the plugin finds new URLs and other useful information. Plugin type Crawl Options This plugin does...

cross_domain_js

Find script tags with src attributes that point to a different domain. It is important to notice that websites that depend on external javascript sources are delegating part of their security to those entities, so it is imperative to be aware of such code. Plugin type Grep Options This plugin...

csv_file

This plugin exports all identified vulnerabilities and informations to the given CSV file. One configurable parameter exists: outputfile Plugin type Output Options Name | Type | Default Value | Description | Help ---|---|---|---|--- outputfile | outputfile | output-w3af.csv | The name of the outp...